The U.S. Department of Defense plans to spend $1.2 trillion to develop major weapons, according to reports from the Congressional Budget Office. The Pentagon will spend more in future years. And because of that, Defense leaders decided it was time the government test the cybersecurity of these systems.
Most expected a U.S. Government Accountability Office (GAO) report to find some level of cyber vulnerability. After all, no connected systems are completely immune from hackers or cybercriminals. Few expected to learn that nearly every heavily computerized system tested by the DoD between 2012 and 2017 showed “mission-critical cyber vulnerabilities.”
Until recently, the Pentagon had not been making combating cybersecurity in weapons systems a priority, according to the GAO. With foreign hackers increasing attacks against all levels of government, it has become clear that cybersecurity policy must become a fundamental part of all public sector operations. This includes acquisition policy.
Government under attack
Having safe systems begins and ends with purchasing parts and products that are secure by design. Unfortunately, few government agencies have prioritized doing that. Most put their energy into assuring they are getting the lowest price. Price combined with schedule and performance are the “three pillars of acquisition”. To optimize purchases these three pillars must be balanced. However, these three pillars do not go far enough in the digital age. A recent survey from security consultancy Netwrix found the public sector lags the private sector in cybersecurity, and only 14 percent of government respondents consider themselves “well prepared” for IT risks. In today’s environment we must ask, if cybersecurity is more important than cost schedule or performance combined? In some weapon systems it undoubtedly is. In DoD every procurement decision is a security decision. Shouldn’t we be buying the best cyber solutions on the market today, if we want to win in the cyber wars?
In fiscal 2016, U.S. government agencies reported nearly 31,000 information security incidents, of which 16 were considered “major incidents.” According to the DoD’s own cyber strategy, China is eroding U.S. military superiority by persistently stealing sensitive information from public and private sector institutions. Russia has used cyber-enabled information operations to influence our population and challenge our democratic processes, the report said. North Korea and Iran have stepped up their cyberattacks.
The nature of warfare is changing, too, according to a report outlining the DoD’s “Deliver Uncompromised” cybersecurity initiative. War is no longer fought by air, sea and land but by infiltrating, corrupting or seizing control of the digital assets of rival governments. Last June, U.S. Deputy Under Secretary of Defense for Intelligence Kari Bingen told Congress the DoD will completely overhaul how it purchases technology, putting pressure not only on its own buyers to do better — but on vendors to deliver more secure systems.
“We must have confidence that industry is delivering capabilities, technologies and weapon systems that are uncompromised by our adversaries, secure from cradle-to-grave,” Bingen said.
Cybersecurity as the “fourth pillar of acquisition”
For government agency purchasers, this reinforces that every acquisition is a security decision. Any connected technology — whether it is a desktop computer, laptop, tablet, smartphone, network printer or even a Bluetooth-enabled light bulb — should be scrutinized to ensure cybersecurity is a key metric. Cost, schedule and performance alone will no longer dominate.
The private sector will have to do its part as well. Delivering technology where all cybersecurity is handled through add-on products — such as hardware firewalls or antivirus software — will be viewed as wholly inadequate. Cybersecurity must be baked into the product design.
Hardening endpoint devices
Government contractors will need to do their part by delivering more safe and secure endpoint devices, such as laptops and network computers. These systems especially need to be designed with cybersecurity in mind. A recent McAfee report notes, most Internet of Things edge devices provide no built-in defense, so one successful exploit can essentially own the device. Hackers know this and have been targeting edge devices such as printers more aggressively.
That is why technology vendors have prioritized hardening computers' hardware and firmware, such as its BIOS, against attack adding features to help keep critical processes running even if malware tries to shut them down and to recover more quickly should an attack be successful. Security features to fortify the network printer are also part of this progression.
Another effect of the public sector’s emphasis on cybersecurity is the emergence of a “Device-as-a-Service” (DaaS) subscription model, where organizations outsource device selection, management and security to a qualified third party. This model ensures employees have the most up-to-date and secure environments. Responsibility for security policies, fleet management, management of confidential information and end-of-life device disposal is handled by a manufacturer or service provider with deep expertise in fleet cybersecurity.
With foreign hackers more active than ever before and increasingly targeting every aspect of government, it is time to take action to enhance defenses against the many and evolving cyber threats to governments, individuals, commerce and critical global infrastructure. One of the most immediate steps government can take to accomplish this is to embrace cybersecurity as a fourth pillar of acquisition.
Tommy Gardner is HP’s chief technology officer for HP federal, spanning the U.S. federal agencies, higher education, K-12 education, state and local government customer segments.